From ef645dee4208046ab05b7e09726ceccab782391d Mon Sep 17 00:00:00 2001 From: Luke Hinds Date: Sat, 6 Jan 2024 23:02:42 +0000 Subject: [PATCH 01/11] Introduce Official Bandit Images Folks are using various bandit images kindly built by others, but we should really start providing one of our that builds directly from source (the others use pip install). Should a different container image be subjected to some sort of attack (maintainer take over), this could lead to some serious problems for those using Bandit. This PR includes an action to build, publish and sign the image using sigstore cosign. This way (should they wish) users can verify the source of origin for these images were the offcial repo. You can see an example of this below, where I tested the action in my own test fork (bandit-test): https://search.sigstore.dev/?logIndex=61918446 Signed-off-by: Luke Hinds --- .github/workflows/build-publish-image.yml | 54 +++++++++++++++++++++++ README.rst | 39 ++++++++++++++++ docker/Dockerfile-py310 | 29 ++++++++++++ docker/Dockerfile-py311 | 29 ++++++++++++ docker/Dockerfile-py312 | 29 ++++++++++++ docker/Dockerfile-py38 | 29 ++++++++++++ docker/Dockerfile-py39 | 29 ++++++++++++ 7 files changed, 238 insertions(+) create mode 100644 .github/workflows/build-publish-image.yml create mode 100644 docker/Dockerfile-py310 create mode 100644 docker/Dockerfile-py311 create mode 100644 docker/Dockerfile-py312 create mode 100644 docker/Dockerfile-py38 create mode 100644 docker/Dockerfile-py39 diff --git a/.github/workflows/build-publish-image.yml b/.github/workflows/build-publish-image.yml new file mode 100644 index 000000000..78c72b50f --- /dev/null +++ b/.github/workflows/build-publish-image.yml @@ -0,0 +1,54 @@ +name: Build and Publish Bandit Images + +on: + release: + types: [created] + +jobs: + build-and-publish: + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + # This is used to complete the identity challenge + # with sigstore/fulcio when running outside of PRs. + id-token: write + strategy: + matrix: + python-version: ['38', '39', '310', '311', '312'] + architecture: [amd64, arm64] + steps: + - name: Check out the repo + uses: actions/checkout@v2 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v1 + + - name: Log in to GitHub Container Registry + uses: docker/login-action@v1 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Install Cosign + uses: sigstore/cosign-installer@v3.3.0 + with: + cosign-release: 'v2.2.2' + + - name: Build and push Docker image + id: build-and-push + uses: docker/build-push-action@v4 + with: + context: . + file: ./docker/Dockerfile-py${{ matrix.python-version }} + push: true + tags: ghcr.io/${{ github.repository }}/bandit:py${{ matrix.python-version }}-${{ matrix.architecture }} + platforms: linux/${{ matrix.architecture }} + + - name: Sign the image + env: + TAGS: ghcr.io/${{ github.repository }}/bandit:py${{ matrix.python-version }}-${{ matrix.architecture }} + DIGEST: ${{ steps.build-and-push.outputs.digest }} + run: | + echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} diff --git a/README.rst b/README.rst index e32f8fd7b..c7073fa77 100644 --- a/README.rst +++ b/README.rst @@ -83,3 +83,42 @@ https://greentreesnakes.readthedocs.org/en/latest/ Documentation of the various types of AST nodes that Bandit currently covers or could be extended to cover: https://greentreesnakes.readthedocs.org/en/latest/nodes.html + +Container Images +---------------- + +Bandit is available as a container image, built within the bandit repository +using GitHub Actions. The image is available on gchr.io: + +```bash +docker pull gcr.io/pycqa/bandit/bandit:py312-arm64 +``` + +The image is built for the following architectures: + +* amd64 +* arm64 + +The image is tagged with the Python version and architecture, for example: + +* py312-amd64 +* py312-arm64 + +Python versions supported are: + +* 3.8 (py38-amd64) +* 3.9 (py39-amd64) +* 3.10 (py310-amd64) +* 3.11 (py311-amd64) +* 3.12 (py312-amd64) + +Every image is signed with sigstore cosign and it is possible to verify the +source of origin using the following cosign command: + +```bash +cosign verify ghcr.io/pycqa/bandit/bandit:py39-amd64 \ + --certificate-identity https://github.com/pycqa/bandit/.github/workflows/build-publish-image.yml@refs/tags/1.7.6 \ + --certificate-oidc-issuer https://token.actions.githubusercontent.com +``` + +Where `1.7.6` is the release version of Bandit. \ No newline at end of file diff --git a/docker/Dockerfile-py310 b/docker/Dockerfile-py310 new file mode 100644 index 000000000..55bbc0aba --- /dev/null +++ b/docker/Dockerfile-py310 @@ -0,0 +1,29 @@ +# +# Copyright 2024 Bandit Authors +# +# SPDX-License-Identifier: Apache-2.0 +# ############################################################################# +# Bandit Baseline is a tool that runs Bandit against a Git commit, and compares +# the current commit findings to the parent commit findings. +# To do this it checks out the parent commit, runs Bandit (with any provided +# filters or profiles), checks out the current commit, runs Bandit, and then +# reports on any new findings. +# ############################################################################# + +FROM python:3.10-alpine + +# Install Git (required for pbr versioning) +RUN apk add --no-cache git + +# Copy the source code into the container +COPY . /bandit + +# Set the working directory +WORKDIR /bandit + +# Install Bandit from the source code using pip +RUN pip install . + +# Define entrypoint and default command +ENTRYPOINT ["bandit"] + diff --git a/docker/Dockerfile-py311 b/docker/Dockerfile-py311 new file mode 100644 index 000000000..293360bc1 --- /dev/null +++ b/docker/Dockerfile-py311 @@ -0,0 +1,29 @@ +# +# Copyright 2024 Bandit Authors +# +# SPDX-License-Identifier: Apache-2.0 +# ############################################################################# +# Bandit Baseline is a tool that runs Bandit against a Git commit, and compares +# the current commit findings to the parent commit findings. +# To do this it checks out the parent commit, runs Bandit (with any provided +# filters or profiles), checks out the current commit, runs Bandit, and then +# reports on any new findings. +# ############################################################################# + +FROM python:3.11-alpine + +# Install Git (required for pbr versioning) +RUN apk add --no-cache git + +# Copy the source code into the container +COPY . /bandit + +# Set the working directory +WORKDIR /bandit + +# Install Bandit from the source code using pip +RUN pip install . + +# Define entrypoint and default command +ENTRYPOINT ["bandit"] + diff --git a/docker/Dockerfile-py312 b/docker/Dockerfile-py312 new file mode 100644 index 000000000..be93dfc2e --- /dev/null +++ b/docker/Dockerfile-py312 @@ -0,0 +1,29 @@ +# +# Copyright 2024 Bandit Authors +# +# SPDX-License-Identifier: Apache-2.0 +# ############################################################################# +# Bandit Baseline is a tool that runs Bandit against a Git commit, and compares +# the current commit findings to the parent commit findings. +# To do this it checks out the parent commit, runs Bandit (with any provided +# filters or profiles), checks out the current commit, runs Bandit, and then +# reports on any new findings. +# ############################################################################# + +FROM python:3.12-alpine + +# Install Git (required for pbr versioning) +RUN apk add --no-cache git + +# Copy the source code into the container +COPY . /bandit + +# Set the working directory +WORKDIR /bandit + +# Install Bandit from the source code using pip +RUN pip install . + +# Define entrypoint and default command +ENTRYPOINT ["bandit"] + diff --git a/docker/Dockerfile-py38 b/docker/Dockerfile-py38 new file mode 100644 index 000000000..3a859114f --- /dev/null +++ b/docker/Dockerfile-py38 @@ -0,0 +1,29 @@ +# +# Copyright 2024 Bandit Authors +# +# SPDX-License-Identifier: Apache-2.0 +# ############################################################################# +# Bandit Baseline is a tool that runs Bandit against a Git commit, and compares +# the current commit findings to the parent commit findings. +# To do this it checks out the parent commit, runs Bandit (with any provided +# filters or profiles), checks out the current commit, runs Bandit, and then +# reports on any new findings. +# ############################################################################# + +FROM python:3.8-alpine + +# Install Git (required for pbr versioning) +RUN apk add --no-cache git + +# Copy the source code into the container +COPY . /bandit + +# Set the working directory +WORKDIR /bandit + +# Install Bandit from the source code using pip +RUN pip install . + +# Define entrypoint and default command +ENTRYPOINT ["bandit"] + diff --git a/docker/Dockerfile-py39 b/docker/Dockerfile-py39 new file mode 100644 index 000000000..2c7332a1d --- /dev/null +++ b/docker/Dockerfile-py39 @@ -0,0 +1,29 @@ +# +# Copyright 2024 Bandit Authors +# +# SPDX-License-Identifier: Apache-2.0 +# ############################################################################# +# Bandit Baseline is a tool that runs Bandit against a Git commit, and compares +# the current commit findings to the parent commit findings. +# To do this it checks out the parent commit, runs Bandit (with any provided +# filters or profiles), checks out the current commit, runs Bandit, and then +# reports on any new findings. +# ############################################################################# + +FROM python:3.9-alpine + +# Install Git (required for pbr versioning) +RUN apk add --no-cache git + +# Copy the source code into the container +COPY . /bandit + +# Set the working directory +WORKDIR /bandit + +# Install Bandit from the source code using pip +RUN pip install . + +# Define entrypoint and default command +ENTRYPOINT ["bandit"] + From 8c96d06a2641ce375f784430e97b6752d56f4572 Mon Sep 17 00:00:00 2001 From: Luke Hinds Date: Sat, 6 Jan 2024 23:34:25 +0000 Subject: [PATCH 02/11] Update tags for other actions Signed-off-by: Luke Hinds --- .github/workflows/build-publish-image.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build-publish-image.yml b/.github/workflows/build-publish-image.yml index 78c72b50f..4fbbfd3c6 100644 --- a/.github/workflows/build-publish-image.yml +++ b/.github/workflows/build-publish-image.yml @@ -19,13 +19,13 @@ jobs: architecture: [amd64, arm64] steps: - name: Check out the repo - uses: actions/checkout@v2 + uses: actions/checkout@v4 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v1 + uses: docker/setup-buildx-action@v3 - name: Log in to GitHub Container Registry - uses: docker/login-action@v1 + uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.actor }} @@ -38,7 +38,7 @@ jobs: - name: Build and push Docker image id: build-and-push - uses: docker/build-push-action@v4 + uses: docker/build-push-action@v5 with: context: . file: ./docker/Dockerfile-py${{ matrix.python-version }} From 2b2beca5590e05ea0903494cdd7e2b574d8c65ca Mon Sep 17 00:00:00 2001 From: Luke Hinds Date: Sun, 7 Jan 2024 07:10:05 +0000 Subject: [PATCH 03/11] Fix TOX Signed-off-by: Luke Hinds --- README.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.rst b/README.rst index c7073fa77..10cebf366 100644 --- a/README.rst +++ b/README.rst @@ -121,4 +121,4 @@ cosign verify ghcr.io/pycqa/bandit/bandit:py39-amd64 \ --certificate-oidc-issuer https://token.actions.githubusercontent.com ``` -Where `1.7.6` is the release version of Bandit. \ No newline at end of file +Where `1.7.6` is the release version of Bandit. From 9e97dd294315d2000070e07925dfcd2151d7d13f Mon Sep 17 00:00:00 2001 From: Luke Hinds Date: Mon, 8 Jan 2024 12:33:32 +0000 Subject: [PATCH 04/11] Single python release and review points Signed-off-by: Luke Hinds --- .github/workflows/build-publish-image.yml | 19 +++++++-------- README.rst | 22 +++++++---------- docker/Dockerfile | 16 +++++++++++++ docker/Dockerfile-py310 | 29 ----------------------- docker/Dockerfile-py311 | 29 ----------------------- docker/Dockerfile-py312 | 29 ----------------------- docker/Dockerfile-py38 | 29 ----------------------- docker/Dockerfile-py39 | 29 ----------------------- 8 files changed, 33 insertions(+), 169 deletions(-) create mode 100644 docker/Dockerfile delete mode 100644 docker/Dockerfile-py310 delete mode 100644 docker/Dockerfile-py311 delete mode 100644 docker/Dockerfile-py312 delete mode 100644 docker/Dockerfile-py38 delete mode 100644 docker/Dockerfile-py39 diff --git a/.github/workflows/build-publish-image.yml b/.github/workflows/build-publish-image.yml index 4fbbfd3c6..c7896b4cd 100644 --- a/.github/workflows/build-publish-image.yml +++ b/.github/workflows/build-publish-image.yml @@ -3,6 +3,8 @@ name: Build and Publish Bandit Images on: release: types: [created] + schedule: + - cron: '0 0 * * 0' # Every Sunday at midnight jobs: build-and-publish: @@ -10,13 +12,8 @@ jobs: permissions: contents: read packages: write - # This is used to complete the identity challenge - # with sigstore/fulcio when running outside of PRs. id-token: write - strategy: - matrix: - python-version: ['38', '39', '310', '311', '312'] - architecture: [amd64, arm64] + steps: - name: Check out the repo uses: actions/checkout@v4 @@ -41,14 +38,14 @@ jobs: uses: docker/build-push-action@v5 with: context: . - file: ./docker/Dockerfile-py${{ matrix.python-version }} + file: ./docker/Dockerfile push: true - tags: ghcr.io/${{ github.repository }}/bandit:py${{ matrix.python-version }}-${{ matrix.architecture }} - platforms: linux/${{ matrix.architecture }} + tags: ghcr.io/${{ github.repository }}/bandit:latest + platforms: linux/amd64, linux/arm64 - name: Sign the image env: - TAGS: ghcr.io/${{ github.repository }}/bandit:py${{ matrix.python-version }}-${{ matrix.architecture }} + TAGS: ghcr.io/${{ github.repository }}/bandit:latest DIGEST: ${{ steps.build-and-push.outputs.digest }} run: | - echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} + echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} diff --git a/README.rst b/README.rst index 10cebf366..7254db852 100644 --- a/README.rst +++ b/README.rst @@ -91,34 +91,30 @@ Bandit is available as a container image, built within the bandit repository using GitHub Actions. The image is available on gchr.io: ```bash -docker pull gcr.io/pycqa/bandit/bandit:py312-arm64 +docker pull ghcr.io/pycqa/bandit/bandit ``` The image is built for the following architectures: * amd64 * arm64 +* armv7 -The image is tagged with the Python version and architecture, for example: +To pull a specific architecture, use the following format: -* py312-amd64 -* py312-arm64 - -Python versions supported are: +```bash +docker pull ghcr.io/pycqa/bandit/bandit:- +``` -* 3.8 (py38-amd64) -* 3.9 (py39-amd64) -* 3.10 (py310-amd64) -* 3.11 (py311-amd64) -* 3.12 (py312-amd64) +Where `` is the release version of Bandit and `` is the architecture Every image is signed with sigstore cosign and it is possible to verify the source of origin using the following cosign command: ```bash cosign verify ghcr.io/pycqa/bandit/bandit:py39-amd64 \ - --certificate-identity https://github.com/pycqa/bandit/.github/workflows/build-publish-image.yml@refs/tags/1.7.6 \ + --certificate-identity https://github.com/pycqa/bandit/.github/workflows/build-publish-image.yml@refs/tags/ \ --certificate-oidc-issuer https://token.actions.githubusercontent.com ``` -Where `1.7.6` is the release version of Bandit. +Where `` is the release version of Bandit. diff --git a/docker/Dockerfile b/docker/Dockerfile new file mode 100644 index 000000000..ab33e8709 --- /dev/null +++ b/docker/Dockerfile @@ -0,0 +1,16 @@ +FROM python:3.12-alpine + +# Install Git (required for pbr versioning) +RUN apk add --no-cache git + +# Copy the source code into the container +COPY . /bandit + +# Set the working directory +WORKDIR /bandit + +# Install Bandit from the source code using pip +RUN pip install . + +# Define entrypoint and default command +ENTRYPOINT ["bandit"] diff --git a/docker/Dockerfile-py310 b/docker/Dockerfile-py310 deleted file mode 100644 index 55bbc0aba..000000000 --- a/docker/Dockerfile-py310 +++ /dev/null @@ -1,29 +0,0 @@ -# -# Copyright 2024 Bandit Authors -# -# SPDX-License-Identifier: Apache-2.0 -# ############################################################################# -# Bandit Baseline is a tool that runs Bandit against a Git commit, and compares -# the current commit findings to the parent commit findings. -# To do this it checks out the parent commit, runs Bandit (with any provided -# filters or profiles), checks out the current commit, runs Bandit, and then -# reports on any new findings. -# ############################################################################# - -FROM python:3.10-alpine - -# Install Git (required for pbr versioning) -RUN apk add --no-cache git - -# Copy the source code into the container -COPY . /bandit - -# Set the working directory -WORKDIR /bandit - -# Install Bandit from the source code using pip -RUN pip install . - -# Define entrypoint and default command -ENTRYPOINT ["bandit"] - diff --git a/docker/Dockerfile-py311 b/docker/Dockerfile-py311 deleted file mode 100644 index 293360bc1..000000000 --- a/docker/Dockerfile-py311 +++ /dev/null @@ -1,29 +0,0 @@ -# -# Copyright 2024 Bandit Authors -# -# SPDX-License-Identifier: Apache-2.0 -# ############################################################################# -# Bandit Baseline is a tool that runs Bandit against a Git commit, and compares -# the current commit findings to the parent commit findings. -# To do this it checks out the parent commit, runs Bandit (with any provided -# filters or profiles), checks out the current commit, runs Bandit, and then -# reports on any new findings. -# ############################################################################# - -FROM python:3.11-alpine - -# Install Git (required for pbr versioning) -RUN apk add --no-cache git - -# Copy the source code into the container -COPY . /bandit - -# Set the working directory -WORKDIR /bandit - -# Install Bandit from the source code using pip -RUN pip install . - -# Define entrypoint and default command -ENTRYPOINT ["bandit"] - diff --git a/docker/Dockerfile-py312 b/docker/Dockerfile-py312 deleted file mode 100644 index be93dfc2e..000000000 --- a/docker/Dockerfile-py312 +++ /dev/null @@ -1,29 +0,0 @@ -# -# Copyright 2024 Bandit Authors -# -# SPDX-License-Identifier: Apache-2.0 -# ############################################################################# -# Bandit Baseline is a tool that runs Bandit against a Git commit, and compares -# the current commit findings to the parent commit findings. -# To do this it checks out the parent commit, runs Bandit (with any provided -# filters or profiles), checks out the current commit, runs Bandit, and then -# reports on any new findings. -# ############################################################################# - -FROM python:3.12-alpine - -# Install Git (required for pbr versioning) -RUN apk add --no-cache git - -# Copy the source code into the container -COPY . /bandit - -# Set the working directory -WORKDIR /bandit - -# Install Bandit from the source code using pip -RUN pip install . - -# Define entrypoint and default command -ENTRYPOINT ["bandit"] - diff --git a/docker/Dockerfile-py38 b/docker/Dockerfile-py38 deleted file mode 100644 index 3a859114f..000000000 --- a/docker/Dockerfile-py38 +++ /dev/null @@ -1,29 +0,0 @@ -# -# Copyright 2024 Bandit Authors -# -# SPDX-License-Identifier: Apache-2.0 -# ############################################################################# -# Bandit Baseline is a tool that runs Bandit against a Git commit, and compares -# the current commit findings to the parent commit findings. -# To do this it checks out the parent commit, runs Bandit (with any provided -# filters or profiles), checks out the current commit, runs Bandit, and then -# reports on any new findings. -# ############################################################################# - -FROM python:3.8-alpine - -# Install Git (required for pbr versioning) -RUN apk add --no-cache git - -# Copy the source code into the container -COPY . /bandit - -# Set the working directory -WORKDIR /bandit - -# Install Bandit from the source code using pip -RUN pip install . - -# Define entrypoint and default command -ENTRYPOINT ["bandit"] - diff --git a/docker/Dockerfile-py39 b/docker/Dockerfile-py39 deleted file mode 100644 index 2c7332a1d..000000000 --- a/docker/Dockerfile-py39 +++ /dev/null @@ -1,29 +0,0 @@ -# -# Copyright 2024 Bandit Authors -# -# SPDX-License-Identifier: Apache-2.0 -# ############################################################################# -# Bandit Baseline is a tool that runs Bandit against a Git commit, and compares -# the current commit findings to the parent commit findings. -# To do this it checks out the parent commit, runs Bandit (with any provided -# filters or profiles), checks out the current commit, runs Bandit, and then -# reports on any new findings. -# ############################################################################# - -FROM python:3.9-alpine - -# Install Git (required for pbr versioning) -RUN apk add --no-cache git - -# Copy the source code into the container -COPY . /bandit - -# Set the working directory -WORKDIR /bandit - -# Install Bandit from the source code using pip -RUN pip install . - -# Define entrypoint and default command -ENTRYPOINT ["bandit"] - From 475408c832d7b0fc01ab44a99d4076e7668fd459 Mon Sep 17 00:00:00 2001 From: Luke Hinds Date: Mon, 8 Jan 2024 12:33:49 +0000 Subject: [PATCH 05/11] Single python release and review points Signed-off-by: Luke Hinds --- .github/workflows/build-publish-image.yml | 2 +- README.rst | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-publish-image.yml b/.github/workflows/build-publish-image.yml index c7896b4cd..27e31f920 100644 --- a/.github/workflows/build-publish-image.yml +++ b/.github/workflows/build-publish-image.yml @@ -41,7 +41,7 @@ jobs: file: ./docker/Dockerfile push: true tags: ghcr.io/${{ github.repository }}/bandit:latest - platforms: linux/amd64, linux/arm64 + platforms: linux/amd64, linux/arm64, linux/arm/v7, linux/arm/v8 - name: Sign the image env: diff --git a/README.rst b/README.rst index 7254db852..96ddb4a32 100644 --- a/README.rst +++ b/README.rst @@ -88,7 +88,7 @@ Container Images ---------------- Bandit is available as a container image, built within the bandit repository -using GitHub Actions. The image is available on gchr.io: +using GitHub Actions. The image is available on ghcr.io: ```bash docker pull ghcr.io/pycqa/bandit/bandit @@ -99,6 +99,7 @@ The image is built for the following architectures: * amd64 * arm64 * armv7 +* armv8 To pull a specific architecture, use the following format: From 5aab55af94b34d6b5d6a692fe232db605f475ca0 Mon Sep 17 00:00:00 2001 From: Luke Hinds Date: Mon, 8 Jan 2024 14:20:03 +0000 Subject: [PATCH 06/11] Remove arch from container tag Signed-off-by: Luke Hinds --- README.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.rst b/README.rst index 96ddb4a32..6445d02ac 100644 --- a/README.rst +++ b/README.rst @@ -104,7 +104,7 @@ The image is built for the following architectures: To pull a specific architecture, use the following format: ```bash -docker pull ghcr.io/pycqa/bandit/bandit:- +docker pull ghcr.io/pycqa/bandit/bandit:latest ``` Where `` is the release version of Bandit and `` is the architecture From 91ae422b7e0ae550cb6e29232070a7f9e90d28ef Mon Sep 17 00:00:00 2001 From: Luke Hinds Date: Mon, 8 Jan 2024 14:21:00 +0000 Subject: [PATCH 07/11] Remove arch from container tag Signed-off-by: Luke Hinds --- README.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.rst b/README.rst index 6445d02ac..e15bbc4fc 100644 --- a/README.rst +++ b/README.rst @@ -104,7 +104,7 @@ The image is built for the following architectures: To pull a specific architecture, use the following format: ```bash -docker pull ghcr.io/pycqa/bandit/bandit:latest +docker pull --platform= ghcr.io/pycqa/bandit/bandit:latest ``` Where `` is the release version of Bandit and `` is the architecture From 8d6dcf6c8bb3365285ac22a43ec00378a8d71cee Mon Sep 17 00:00:00 2001 From: Luke Hinds Date: Mon, 8 Jan 2024 14:21:55 +0000 Subject: [PATCH 08/11] Missed text referencing arch tag Signed-off-by: Luke Hinds --- README.rst | 2 -- 1 file changed, 2 deletions(-) diff --git a/README.rst b/README.rst index e15bbc4fc..e11ffba8c 100644 --- a/README.rst +++ b/README.rst @@ -107,8 +107,6 @@ To pull a specific architecture, use the following format: docker pull --platform= ghcr.io/pycqa/bandit/bandit:latest ``` -Where `` is the release version of Bandit and `` is the architecture - Every image is signed with sigstore cosign and it is possible to verify the source of origin using the following cosign command: From 69d4c68b05c0743cb96bd22d6af313d72776d93f Mon Sep 17 00:00:00 2001 From: Luke Hinds Date: Fri, 19 Jan 2024 08:21:43 +0000 Subject: [PATCH 09/11] Add workflow dispatch --- .github/workflows/build-publish-image.yml | 1 + README.rst | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build-publish-image.yml b/.github/workflows/build-publish-image.yml index 27e31f920..c40ce0702 100644 --- a/.github/workflows/build-publish-image.yml +++ b/.github/workflows/build-publish-image.yml @@ -5,6 +5,7 @@ on: types: [created] schedule: - cron: '0 0 * * 0' # Every Sunday at midnight + workflow_dispatch: jobs: build-and-publish: diff --git a/README.rst b/README.rst index e11ffba8c..a06f90c91 100644 --- a/README.rst +++ b/README.rst @@ -104,7 +104,7 @@ The image is built for the following architectures: To pull a specific architecture, use the following format: ```bash -docker pull --platform= ghcr.io/pycqa/bandit/bandit:latest +docker pull --platform= ghcr.io/pycqa/bandit/bandit:latest ``` Every image is signed with sigstore cosign and it is possible to verify the From 50ce0c9d76f9be73cdf38fd0fdabb89e3648d140 Mon Sep 17 00:00:00 2001 From: Luke Hinds Date: Fri, 19 Jan 2024 12:45:43 +0000 Subject: [PATCH 10/11] On schedule or dispatch, build from last release --- .github/workflows/build-publish-image.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/.github/workflows/build-publish-image.yml b/.github/workflows/build-publish-image.yml index c40ce0702..028a66d08 100644 --- a/.github/workflows/build-publish-image.yml +++ b/.github/workflows/build-publish-image.yml @@ -16,8 +16,19 @@ jobs: id-token: write steps: + + - name: Get latest release tag + if: github.event_name != 'release' + id: get-latest-tag + run: | + TAG=$(curl -s https://api.github.com/repos/${{ github.repository }}/releases/latest | jq -r .tag_name) + echo "Latest tag is $TAG" + echo "RELEASE_TAG=$TAG" >> $GITHUB_ENV + - name: Check out the repo uses: actions/checkout@v4 + with: + ref: ${{ github.event_name == 'release' && github.ref || env.RELEASE_TAG }} - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 From 70ebbc95fedc2a74db27b9c5d0649517cc3c8226 Mon Sep 17 00:00:00 2001 From: Luke Hinds Date: Mon, 22 Jan 2024 14:36:52 +0000 Subject: [PATCH 11/11] Pin to digests --- .github/workflows/build-publish-image.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build-publish-image.yml b/.github/workflows/build-publish-image.yml index 028a66d08..d8939e702 100644 --- a/.github/workflows/build-publish-image.yml +++ b/.github/workflows/build-publish-image.yml @@ -26,28 +26,28 @@ jobs: echo "RELEASE_TAG=$TAG" >> $GITHUB_ENV - name: Check out the repo - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 with: ref: ${{ github.event_name == 'release' && github.ref || env.RELEASE_TAG }} - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3 - name: Log in to GitHub Container Registry - uses: docker/login-action@v3 + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Install Cosign - uses: sigstore/cosign-installer@v3.3.0 + uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 # v3.3.0 with: cosign-release: 'v2.2.2' - name: Build and push Docker image id: build-and-push - uses: docker/build-push-action@v5 + uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5 with: context: . file: ./docker/Dockerfile